Path Traversal

2024-04-1707:33:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mlflow

path traversal

vulnerability

delete_artifacts

local_artifact_repo

sanitization

user-supplied paths

double decoding

_delete_artifact_mlflow_artifacts

local_file_uri_to_path

arbitrary directories

server's filesystem

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

10.5%

JSON

mlflow is vulnerable to a path traversal vulnerability. The vulnerability is due to an extra unquote operation in the delete_artifacts function of local_artifact_repo.py, which fails to properly sanitize user-supplied paths. Attackers can exploit the double decoding process in the _delete_artifact_mlflow_artifacts handler and local_file_uri_to_path function allowing for the deletion of arbitrary directories on the server’s filesystem.